kerberos ticket cache

Tom Yu tlyu at mit.edu
Fri Jul 10 09:52:20 EDT 2015


Andrew Levin <amlevin at mit.edu> writes:

> I have noticed that even after I delete my kerberos ticket cache, as below, I remain authenticated (eg I can open files in an area where kerberos authentication is required). How is this possible?
>
> [anlevin at lxplus0055 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_13535_4nn0mf
> Default principal: anlevin at CERN.CH
>
> Valid starting     Expires            Service principal
> 07/10/15 09:54:58  07/11/15 10:54:58  krbtgt/CERN.CH at CERN.CH
>         renew until 07/15/15 09:54:58
> 07/10/15 09:54:59  07/11/15 10:54:58  afs/cern.ch at CERN.CH
>         renew until 07/15/15 09:54:58
> [anlevin at lxplus0055 ~]$ rm /tmp/krb5cc_13535_4nn0mf

You didn't mention which sort of remote filesystem you're concerned
with, but based on your klist output, you might be using AFS.  The AFS
client maintains a separate cache of AFS tokens, derived from the
afs/cellname Kerberos ticket.  You can typically use the "unlog" command
to destroy those AFS tokens.

Also, we generally recommend that people use kdestroy to destroy
Kerberos tickets.


More information about the Kerberos mailing list